optimize chains out more often

89514168 · Kaarle Ritvanen · 071952b1 · 89514168 · 89514168 · 89514168
Commit 89514168 authored Jan 09, 2017 by Kaarle Ritvanen
Hide whitespace changes
Inline Side-by-side

Showing with 75 additions and 73 deletions

awall/model.lua awall/model.lua +50 -37

awall/modules/filter.lua awall/modules/filter.lua +19 -28

awall/modules/mark.lua awall/modules/mark.lua +6 -8

No files found.
--- a/awall/model.lua
+++ b/awall/model.lua
@@ -24,6 +24,7 @@ local extend = util.extend
 local filter = util.filter
 local join = util.join
 local listpairs = util.listpairs
+local map = util.map
 local maplist = util.maplist
 local setdefault = util.setdefault

@@ -430,6 +431,49 @@ function M.Rule:target()
 end


+function M.Rule:combine(ofs1, ofs2, key, unique)
+
+   local function connect()
+      local chain = self:uniqueid(key)
+      local function setvar(name)
+	 return function(of)
+	    setdefault(of, name, chain)
+	    return of
+	 end
+      end
+
+      return extend(map(ofs1, setvar('target')), map(ofs2, setvar('chain')))
+   end
+
+   local chainless = filter(ofs2, function(of) return not of.chain end)
+   local created = {}
+   local res = {}
+
+   for _, of in ipairs(ofs1) do
+      if of.target == nil then
+
+	 local ofs = combinations(chainless, {{family=of.family}})
+	 assert(#ofs > 0)
+
+	 if unique then
+	    assert(of.family)
+	    if created[of.family] then return connect() end
+	    created[of.family] = true
+
+	    if #ofs > 1 then return connect() end
+	 end
+
+	 local comb = combinations({of}, ofs)
+	 if #comb < #ofs then return connect() end
+	 extend(res, comb)
+
+      else table.insert(res, of) end
+   end
+
+   return res
+end
+
+
 function M.Rule:trules()

   local function tag(ofrags, tag, value)
@@ -496,52 +540,26 @@ function M.Rule:trules()

   ofrags = combinations(ofrags, self:servoptfrags())

+   tag(ofrags, 'position', self:position())
+
   setfamilies(ofrags)

   local addrofrags = combinations(
      self:create(M.Zone, {addr=self.src}):optfrags(self:direction('in')),
      self:destoptfrags()
   )
-   local combined = ofrags
-
   if addrofrags then
      addrofrags = ffilter(addrofrags)
      setfamilies(addrofrags)
-      ofrags = ffilter(ofrags)
-
-      combined = {}
-      for i, ofrag in ipairs(ofrags) do
-	 local aofs = combinations(addrofrags, {{family=ofrag.family}})
-	 local cc = combinations({ofrag}, aofs)
-	 if #cc < #aofs then
-	    combined = nil
-	    break
-	 end
-	 extend(combined, cc)
-      end
+      ofrags = self:combine(ffilter(ofrags), addrofrags, 'address')
   end

-   if combined then ofrags = combined end
-
-   tag(ofrags, 'position', self:position())
-
-   local addrchain
-   if not combined then
-      addrchain = self:uniqueid('address')
-      self:settarget(ofrags, addrchain)
-      extend(ofrags, combinations(addrofrags, {{chain=addrchain}}))
-   end
+   ofrags = self:mangleoptfrags(ofrags)

-   local function bancustom() self:error('Custom action not allowed here') end
   local custom = self:customtarget()
-
-   ofrags = self:mangleoptfrags(ofrags)
   for _, ofrag in ipairs(ofrags) do
-      if custom and ofrag.target and ofrag.target ~= addrchain then
-	 bancustom()
-      end
+      setdefault(ofrag, 'target', custom or self:target())
   end
-   self:settarget(ofrags, custom or self:target())

   local tbl = self:table()

@@ -601,7 +619,7 @@ function M.Rule:trules()
   )

   local extra = self:extratrules(ofrags)
-   if custom and extra[1] then bancustom() end
+   if custom and extra[1] then self:error('Custom action not allowed here') end
   return extend(ofrags, extra)
 end

@@ -614,11 +632,6 @@ function M.Rule:customtarget()
   end
 end

-function M.Rule:settarget(ofrags, target)
-   for _, ofrag in ipairs(ofrags) do setdefault(ofrag, 'target', target) end
-   return ofrags
-end
-
 function M.Rule:mangleoptfrags(ofrags) return ofrags end

 function M.Rule:trulefilter(rule) return true end

--- a/awall/modules/filter.lua
+++ b/awall/modules/filter.lua
@@ -158,20 +158,20 @@ function LoggingRule:logdefault() return false end

 function LoggingRule:target() return 'ACCEPT' end

-function LoggingRule:logchain(log, action, target)
-   if not log then return {}, target end
-   local chain = self:uniqueid('log'..action)
-
-   local ofrags = log:optfrags()
-   if target then table.insert(ofrags, {target=target}) end
+function LoggingRule:actofrags(log, target)
+   local res = log and log:optfrags() or {}
+   if target ~= nil then table.insert(res, {target=target}) end
+   return res
+end

-   return combinations({{chain=chain}}, ofrags), chain
+function LoggingRule:combinelog(ofrags, log, action, target)
+   local actions = self:actofrags(log, target)
+   return actions[1] and
+      self:combine(ofrags, actions, 'log'..action, log) or ofrags
 end

 function LoggingRule:mangleoptfrags(ofrags)
-   if not self.log then return ofrags end
-   local ofs, chain = self:logchain(self.log, self.action, self:target())
-   return extend(self:settarget(ofrags, chain), ofs)
+   return self:combinelog(ofrags, self.log, self.action, self:target())
 end


@@ -346,37 +346,28 @@ function Filter:mangleoptfrags(ofrags)
   end

   local limitchain = self:uniqueid('limit')
-   self:settarget(ofrags, limitchain)
-
   local limitlog = self[limit].log
   local limitobj = self:create(FilterLimit, self[limit], 'limit')

-   local ofs = {}
-   local logch, limitofs
+   local ofs
   local accept = self:position() == 'append'

   local uofs, sofs = limitobj:recentofrags(limitchain)

   if uofs then
-      ofs, logch = self:logchain(limitlog, 'drop', 'DROP')
-
-      limitofs = combinations(uofs, {{target=logch}})
-      if accept and self.log then extend(limitofs, self.log:optfrags()) end
-      extend(limitofs, combinations(sofs, {{target=accept and 'ACCEPT'}}))
+      ofs = self:combinelog(uofs, limitlog, 'drop', 'DROP')
+      if accept then extend(ofs, self:actofrags(self.log)) end
+      extend(ofs, combinations(sofs, {{target=accept and 'ACCEPT'}}))

   else
-      if accept then ofs, logch = self:logchain(self.log, 'accept', 'ACCEPT')
-      else logch = 'RETURN' end
+      local limofs = limitobj:limitofrags(limitchain)
+      ofs = accept and Filter.super(self):mangleoptfrags(limofs) or
+	 combinations(limofs, {{target='RETURN'}})

-      limitofs = combinations(
-	 limitobj:limitofrags(limitchain), {{target=logch}}
-      )
-      if limitlog then extend(limitofs, limitlog:optfrags()) end
-      table.insert(limitofs, {target='DROP'})
+      extend(ofs, self:actofrags(limitlog, 'DROP'))
   end

-   extend(ofrags, ofs)
-   return extend(ofrags, combinations({{chain=limitchain}}, limitofs))
+   return self:combine(ofrags, ofs, 'limit', true)
 end



--- a/awall/modules/mark.lua
+++ b/awall/modules/mark.lua
@@ -9,7 +9,7 @@ local model = require('awall.model')
 local class = model.class

 local combinations = require('awall.optfrag').combinations
-local util = require('awall.util')
+local list = require('awall.util').list


 local MarkRule = class(model.Rule)
@@ -27,18 +27,16 @@ function MarkRule:target() return 'MARK --set-mark '..self.mark end
 local RouteTrackRule = class(MarkRule)

 function RouteTrackRule:mangleoptfrags(ofrags)
-   local markchain = self:uniqueid('mark')
-   return util.extend(
-      self:settarget(
-	 combinations(ofrags, {{match='-m mark --mark 0'}}), markchain
-      ),
-      {{chain=markchain}, {chain=markchain, target='CONNMARK --save-mark'}}
+   return self:combine(
+      combinations(ofrags, {{match='-m mark --mark 0'}}),
+      {{}, {target='CONNMARK --save-mark'}},
+      'mark'
   )
 end


 local function restoremark(config)
-   if util.list(config['route-track'])[1] then
+   if list(config['route-track'])[1] then
      return combinations(
 	 {{family='inet'}, {family='inet6'}},
 	 {{chain='OUTPUT'}, {chain='PREROUTING'}},